ZmnSCPxj already observed in [1] that these ops would enable introspection of any field of the transactions and make both `OP_CHECKLOCKTIMEVERIFY` and `OP_CHECKSEQUENCEVERIFY` superfluous. There is much more to this as enumerated in generic terms by Russel O’Connor below and I would like to add a concrete example.
We could implement oracle less difficulty contracts without the need the of a
CISC type OP_WORKVERIFY but instead through resurrection/extension of OP_CAT,
OP_GREATERTHANOREQUAL and introduction of a new RISC opcode
OP_CHECKBLOCKATHEIGHT[3] suggested by Luke Dashjr. Thanks for the pointer to
Nathan Cook [4]
Technically we could resurrect and add them without burning more than one
OP_NOP by redefining it as a prefix (OP_EXTENSION), such as:
OP_EXTENSION OP_CAT would become a two byte opcode pointing to a resurrected
implementation of OP_CAT.
This could be soft forked in.
A concrete oracle less difficulty contract could look like:
It is an european digital call option on target difficulty after maturity and
10 blocks notice period. I gave you reasons while having these would increase
bitcoin's security in [2]
IF
<maturity as block height + 10> CHECKLOCKTIMEVERIFY DROP
<speculator’s key> CHECKSIGVERIFY
ELSE
OP_DUP <maturity as block height - 1> OP_CHECKBLOCKATHEIGHT
OP_LESSTHANEQUAL OP_VERIFY
OP_SWAP OP_CAT OP_CAT OP_HASH256 <contracted target> OP_LESSTHANEQUAL
OP_VERIFY
<miner’s key> CHECKSIGVERIFY
ENDIF
insurance premium could be collected by the seller of the insurance after
maturity + 10 blocks if target difficulty was not reached
<speculator’s signature>
miner would get back its insurance premium plus collateral of the seller if
target difficulty was not reached at maturity. Miner has 10 blocks time after
maturity to claim with:
<maturity block header after prevhash> <maturity block version> <prevhash>
The stack would be in second case processed as:
1: after pushes
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
2: after OP_DUP:
<maturity block prevhash>
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
3: after push
<maturity as block height - 1>
<maturity block prevhash>
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
4: after OP_CHECKBLOCKATHEIGHT OP_VERIFY is successful proving that prevhash is
the block at maturity block height - 1
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
5: after OP_SWAP
<block version>
<maturity block prevhash>
<block header after prevhash>
6: after OP_CAT
<maturity block version concatenated with maturity prevhash>
<maturity block block header after maturity prevhash>
7: after OP_CAT
<complete block header>
8: after OP_HASH256
<block hash computed for header>
9: after push
<contracted target>
<block hash computed for header>
10: after OP_GREATERTHANOREQUAL OP_VERIFY proves that contracted target was
reached
Tamas Blummer
[1]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016966.html
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016966.html>
[2]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017019.html
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017019.html>
[3] https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki
<https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki>
[4]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016954.html
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016954.html>
[5] https://github.com/bitcoin/bitcoin/blob/master/src/script/script.h
<https://github.com/bitcoin/bitcoin/blob/master/src/script/script.h>
> On May 22, 2019, at 23:01, Russell O'Connor via bitcoin-dev
> <[email protected]> wrote:
>
> Recently there have been some tapscript proposals, SIGHASH_ANYPREVOUT and
> OP_CHECKOUTPUTHASHVERIFY, that aim to enable particular new features for
> Bitcoin via new Script operations. However, I think that these proposals
> miss the mark when it comes to how they approach Bitcoin Script and language
> features.
>
> Bitcoin Script appears designed to be a flexible programmable system that
> provides generic features to be composed to achieve various purposes. Thus,
> when we design new language features for Script, we should be striving, as
> much as possible, to similarly build general purpose tools which can in turn
> be used for a variety of purposes.
>
> I feel the SIGHASH_ANYPREVOUT and OP_CHECKOUTPUTHASHVERIFY proposals fail to
> achieve these design goals. They are both are designed with very narrow
> applications in mind, while also going out of their way to extend the
> semantic domain of the interpretation of Bitcoin operations in new ways that
> complicate their specification. In the case of SIGHASH_ANYPREVOUT, the
> semantic domain is extended by adding new counters to track the use of
> various v0 and v2 signature types. In the case of OP_CHECKOUTPUTHASHVERIFY,
> it employs a new context-sensitive operation that peeks at the value of
> surrounding opcodes.
>
> Instead, I propose that, for the time being, we simply implement OP_CAT and
> OP_CHECKSIGFROMSTACKVERIFY. OP_CAT pops two byte arrays off the stack and
> pushes their concatenation back onto the stack. OP_CHECKSIGFROMSTACKVERIFY
> pops a signature, message, and pubkey off the stack and performs a
> bip-schnorr verification on the SHA256 hash of the message.
>
> In concert, these two operations enable:
>
> * Oracle signature verification, including discrete log contracts.
> * Amortized secure multiparty computations (see "Amortizing Secure
> Computation with Penalties" by Kumaresan and Bentov).
> * Transaction introspection including:
> + <> Simulated SIGHASH_ANYPREVOUT, which are necessarily chaperoned simply by
> the nature of the construction.
> + <> Decide if a transaction has exactly one input or not. (etc.)
> + Weak covenants, which can verify output scripts to see if they are among a
> set of predefined values or verify the output hash.
>
> and presumably more applications as well.
>
> For better or for worse, without an OP_PUBKEYTWEEK operation available, the
> more interesting recursive-covenants remain largely out of reach, with the
> exception of a recursive covenant that is only able to send back to its own
> address, possibly abusing its own TXO value as a state variable.
>
> All this is accomplished by two straightforward opcodes whose semantics are
> pure computational operations on stack values. The only semantic side-effect
> is that OP_CHECKSIGFROMSTACKVERIFY would count towards the existing
> 'sigops_passed' count. Moreover, I feel that adding these operations does
> not preclude adding more specialized opcodes in the future as an optimization
> for whatever popular constructions come up, once we know what those are.
>
> I feel that this style of generic building blocks truly embodies what is
> meant by "programmable money".
> _______________________________________________
> bitcoin-dev mailing list
> [email protected]
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
